DCry ransomware virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - | Type: Ransomware
12

DCry crypto-malware developers persistently create new versions

The image displaying DCry virus

DCry virus functions as crypto-malware which tries to evoke more terror by disguising under the notorious WannaCry[1] ransomware. Fortunately, the virus does not exhibit such capabilities as the former threat. Indeed, there have been such threats as, for example, FakeCry, which inflicts great damage. However, the release of the decrypter has not discouraged racketeers to engage in such illegal activity – DCry 2.0 version has made its appearance.

Speaking of the current virus, it does not launch its own graphic interface. In its HOW_TO_DECRYPT.txt file, scarce information is delivered:

Files has been encrypted.
If you want to decrypt, please, write me to e-mail: bbqb@protonmail.com

The message delivered through MsgBox repeats the same information. Besides these qualities, the original malware version appends .dcry file extension to the encrypted files, but there are new virus versions which also use .qwqd extensions.

Interestingly, the malware links to Germany[2]. According to its technical specifications, it is detectable as Trojan-Ransom.Win32.Purgen, Ransom_FAKEWCRY.I, or Trojan.GenericKD.5584545. The former entry resembles the variations of GlobeImposter family of ransomware.

Luckily, multiple cyber security applications are able to detect this malicious presence. Thus, you will be able to remove DCry virus as well. Reimage or Malwarebytes Anti Malware will speed up the process.

Update September 15th, 2017. The developers of this malware seem to be persistently working on new improvements. Besides recent .qwqda extension virus variation, now the perpetrators have released a new version –  DCry 2.0 malware – which adds .dian file extension to mark encrypted files. 

This version seems to be still under development as the malware authors left an amusing greeting for a famous ransomware researcher Michael Gillespie embedded in the source code. Leaving aside entertaining remarks, the virus functions via Uds.Dangerousobject.Multi!cTR/AD.RansomHeur.rfwabRansom_Purgen.R01BC0WIB17, etc. Considering the latter, the very modus operandi does not seem to have changed dramatically. Besides the mentioned changes, cyber criminals switched to lnq@protonmail.com email address as well.

Update September 11th, 2017. In response to the released decrypter, the cyber developers have created another version which attaches .gocr file extension. The ransom note slightly changed its veneer as well. Now the felons present their demands in HOW_TO_GET_MY_FILES.txt file. The content of the message was slightly altered as well. Here is a short extract from it:

Hello my friend, first sorry for this.
Your files have been crypted with AES-256 method.
Don't try decrypt files use third-party software, otherwise you may loss all files permanently.
If you want to decrypt your data, write to e-mail: lnq@protonmail.com.
If you want to test the decrypt, go to https://s7c4wrcmzgbtldbs.onion (use tor browser)

Update July 14th, 2017. Security experts Michael Gillespie and Francesco Mauroni managed to create a free decryption tool for victims of DCry crypto-virus. Therefore, do not hesitate and remove the ransomware ASAP. You have a chance to restore your files for free, so do not even consider paying the ransom to cybercriminals. You can find DCry Decrypter here.

NOTE: DCry Decrypter has been updated to restore files encrypted by the latest ransomware version which appends .qwqd extensions and uses qwqd@protonmail.com email address for communication.

WannaCry – as the inspiration for cyber villains

Though since the first wave of the former threat, almost two months have passed, other crooks still use it as the material to evoke more fear to victims. Fortunately, such clones often happen to be poorly programmed and much less destructive.

DCry ransomware happens to be one of such samples as well. On the other hand, its developer cunningly makes a diversion. The virus contains references to FakeCry, WammaCry, and even Globe as some anti-virus detect as Purgen virus, reference to Globe.

Furthermore, the virus functions via Cryptor.exe and message.vbs files. The malware connects to hidden onion websites www.indyproject.org/. The latter websites serve as the opens source website created by an unknown group of netizens.

It is designed for exchanging ideas how to transfer an entire system to another computer. Regarding the fact that DCry may target systems via remote desktop protocols (RDP), the websites turn out to be more than shady.
The malware also connects to one IP address which links to Germany. However, taking into account that the perpetrator uses Tor, it might be only a diversion.

Key aspects of transmission strategy 

Besides RDP, the threat may lurk for Windows OS users in certain corrupted websites. Thus, when they click on a certain link or download an infected website, they might encounter DCry hijack.

The latter method is getting much more dangerous as cyber criminals have found a way how to foist an infection in a file. In order to activate victims do not need to click on file anymore – hovering over it[3] is enough to face the aftermath of crypto-malware.

Thirdly, note that ransomware distribution via spam emails is still viable. Vigilance and cautiousness are not sufficient in countering ransomware. You will need cyber security applications to ward off and counterattack the malware. Now let us move on to the section which presents DCry removal options.

Eradicate DCry virus

Even though the malware may not be as destructive as its referrer, you should not delay DCry removal. In some cases, rebooting the computer interrupts data encryption process.

Before you decrypt files, you might check some of our suggested programs at the bottom of the page. Hungarian users should be careful as the virus might target the residents of this country more.[2]

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove DCry ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall DCry ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual DCry virus Removal Guide:

Remove DCry using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Make use of Safe Mode function. It grants you partial access to the system, but it bypasses any interruption caused by the virus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove DCry

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete DCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove DCry using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of DCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that DCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove DCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by DCry, you can use several methods to restore them:

How useful is Data Recovery Pro?

This utility is said to recover lost and corrupted files. In addition, if you accidentally deleted highly important emails, this utility will help you retrieve them.

The benefits of Shadow Explorer

Since this virus is not a full-fledged copy of WannaCry, it is possible that you may restore files affected by DCry virus with the assistance of this program. It is able to restore files on the basis of shadow volume copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

DCry Decryptor

There is a free decryption tool available, so victims who have their files marked with .dcry and .qwqd extensions can now restore them for free. Just download the DCry decryption tool from here and start decrypting your files!

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from DCry and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References